18 June 2013
This is the first in a three-part series on the United States government’s PRISM programme.
Also see Part Two: What’s wrong with PRISM? and Part Three: How can we make our online lives more secure?
Edward Snowden’s revelations published in the Washington Post and Guardian about the United States Government’s PRISM programme raise many questions and few answers. There’s no shortage of commentary in English-language media pondering the consequences for Americans. But PRISM is even more relevant to the over 2 billion non-American users of the Internet and it’s with that in mind that I’ve written this trilogy of articles.
The Post article discusses safeguards for American citizens but disregards the privacy of the rest of the world. The search terms for extracting data, the Post explains, are “designed to produce at least 51 percent confidence in a target’s ‘foreignness.’” Then, without insight into its provincialism, the article states, “That is not a very stringent test.” As if intrusion into foreigners’ communication is okay.
The Post also explains:
The Obama administration points to ongoing safeguards in the form of “extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.”
The US Director of National Intelligence, James Clapper reassures us, without explicitly acknowledging PRISM’s existence, that it is “designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States.” The data “cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.”
However few the legal safeguards to protect the privacy of the citizens of the US, there are even fewer for the rest of us.
What is PRISM?
We know little about PRISM. It is a secret program of the US government’s National Security Agency (NSA) that collects data from most of the major providers of internet services about people across the globe.
According to slides leaked by Snowden, the NSA has access to email, chat, videos, photos, stored data (which presumably means documents), file transfers, video conferences, logins, social networking details and, special requests. The companies from which it gets data are Microsoft, (including Hotmail), Google, Facebook, Youtube, Skype, AOL, Apple and Paltalk.
The program started in 2007 and costs $20 million a year. Microsoft was the first company to have data extracted and Apple the latest. Notable companies missing from the list are Twitter and, more importantly—because it holds a lot of data that people would consider private—Dropbox. There have however been reports that Dropbox data will soon be collected.
The Guardian also revealed that the US government is collecting the meta-data of phone records of millions of US customers of the company Verizon. Meta-data here is essentially telephone numbers and times of calls. This is being done under a secret court order of the Foreign Intelligence Surveillance Court which the Guardian published. The court order specifically excludes “substantive content” including “name, address or financial information of a subscriber or customer.” The order also compels Verizon to keep it secret.
If everything else about PRISM turns out to be false, the existence of this court order alone is a great scandal. Since this article is written for non-Americans I’ll say nothing more here of why it is that a country that is supposed to exemplify freedom and democracy has closed courts that issue such broad secret orders whose very existence is ordered to be secret.
What data does PRISM access?
This is the key question.
The Electronic Frontier Foundation (EFF) describes various scenarios. In the best ones, the NSA receives information on specific user accounts for specific investigations. Data is only sought if there is “substantial evidence of terrorism or other activities that might affect” US security. In this scenario, “at most hundreds or perhaps thousands of accounts have information passed on to the NSA every year.” In the worst scenarios, companies receive broad orders to hand over huge amounts of data regularly or continuously of “all users in a particular country, or any that contain” a specified phrase.
Which is more likely, the best or worst case scenarios?
The annual cost of the PRISM program, according to one of the leaked slides, is only $20 million. It’s difficult to imagine how large-scale data trawling can be done with this kind of money. By comparison Facebook is building a data centre that costs $1.5 billion. Ed Bott writes on the tech website ZDNet that there are technical problems with the Guardian and Post articles. “Make no mistake about it: This is an important story.” But, he argues, it is implausible that the data is pulled off the participating company servers through software back doors. Without a software backdoor, it would be difficult to transfer extremely large amounts of user data to the NSA. If Bott is right, the EFF’s best case scenarios are more likely.
However, according to James Bamford writing for Wired the NSA is constructing a massive $2 billion data centre in Utah. Why would it be doing this unless it intended to collect or is already collecting extremely large amounts of personal data? Also evidence for the worst case scenarios is the broadness of the Verizon court order, even though it is restricted to meta-data. An estimate by Brewster Kahle shows that storing all US phone data for a year would only cost $30 million. Storing only meta-data obtained via the Verizon court order would cost much less than that. We do not know yet what the NSA is getting from Google, Facebook, Microsoft, Apple and others. Snowden in a live interview on the Guardian appears to be saying that we are facing the worst case scenarios.
But at this point we just don’t know. Hopefully, this will be clarified during the next few weeks.
What has been the response of the implicated companies?
Google’s CEO, Larry Page, and Chief Legal Officer, David Drummond, wrote:
We have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.
Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period.
That appears to be unequivocal, but in fact it is not. These “denials” are cleverly tailored. Google’s privacy policy promises its users that their data will not be shared outside of Google, except for narrow reasons, like legal ones. I presume it’s the same for the other companies. I doubt these companies signed up to PRISM. Instead it is likely they have been press-ganged with court orders into sharing data, just as Verizon was. Page and Drummond hint that this is indeed what is happening:
Finally, this episode confirms what we have long believed—there needs to be a more transparent approach. Google has worked hard, within the confines of the current laws, to be open about the data requests we receive. … And, of course, we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish.
Further evidence that the NSA has used court orders to compel data sharing by the big Internet companies comes from the New York Times. According to the Times, Yahoo only became part of PRISM after unsuccessfully contesting, in a secret court, demands for user data.
What we really need to know is how broad are the court orders and is there any special consideration for the privacy of non-Americans?
What is the National Security Agency (NSA)?
If you like watching action movies, you’ll know that the NSA is one of the main spy agencies of the United States government. It is responsible for gathering information and breaking codes but also protecting information. It’s a huge organisation. Its budget is confidential but at least several billion dollars a year. The number of employees is also secret but it is certainly tens of thousands. It’s an opaque institution and it’s fair to think it is rather sinister.
But it is not all bad. Ironically, the NSA has published very effective algorithms that anyone can use to help protect their passwords and their data from tampering, including from the NSA itself.
Bamford wrote in Wired, “The NSA has become the largest, most covert, and potentially most intrusive intelligence agency ever.” This is plausible and worrying.
It’s also important to realise that the US government is not a monolithic body. It has millions of people working for it, representing a multitude of interests and values. With stories like PRISM it is easy to be sucked into unhelpful debates which assume either that US institutions are all bad or all good. It is much more nuanced than that.
For example, it is in large part due to the defence arm of the US government that we have the Internet as well as encryption methods for keeping our passwords and files safe, even from the US government itself. On the other hand, while some in the US government, including the NSA, genuinely reassure us that they will protect privacy (though not apparently of people outside the US), others US civil servants and politicians are, within the increasingly wide bounds of US law, undermining it.
Who is Edward Snowden?
Many commentators are obsessed with this question. In complex stories like this it is easy to focus too much on the personalities involved—something Snowden was aware of and expressly wanted to avoid—instead of the substantive issues.
In a nutshell, according to the Guardian, Snowden was an employee of a private company called Booz Allen Hamilton and was contracted to work at the NSA. After leaking the existence of PRISM to the Guardian and Washington Post, he identified himself as the source and explained, “I have no intention of hiding who I am because I know I have done nothing wrong.” Booz Allen Hamilton then fired him.
Snowden fled to Hong Kong and has suggested he will seek asylum in Iceland. Interestingly a few years ago the former World Chess Champion Bobby Fisher also received refuge from the US government in Iceland, where he subsequently died.
The Falcon and the Snowman, is an excellent 80s movie. The story is based on the lives of Christopher Boyce (Timothy Hutton) and Andrew Daulton Lee (Sean Penn) who sold US government secrets to the Soviets in the 1970s. Robert Lindsey has written a book upon which the film is based. He also wrote a follow-up about Boyce’s brief but adventure-filled escape from prison during which he robbed banks.
Like Snowden, Boyce also worked for a company contracted to the US government. His job gave him access to top secret CIA documents. He claimed he became disillusioned with the CIA after discovering it was trying to bring down the Labour government in Australia. Boyce received a 40 year sentence for treason. He was released in the early 2000s.
Snowden’s youthful sense of adventure and stated commitment to principle remind me of Boyce. But Snowden, if he is telling the truth, is far more principled and, in contrast to Bobby Fisher, is sane. Much nastiness is being written about Snowden. Unless it is shown that PRISM is a hoax or that he released substantially false information, it’s best to ignore. It doesn’t matter if Snowden is seeking attention, as his detractors claim, or has any other personality issues; what is important is the information he has made public.
Also see Part Two: What’s wrong with PRISM? and Part Three: How can we make our online lives more secure?
Geffen is the editor of GroundUp. You can him on Twitter @nathangeffen.